I have a IIS hosted ASP.NET WebAPI app and im using ServerVariables["REMOTE_ADDR"] to get the client address and identify the user: client logs in and i will generate a cookie that contains the client IP. In subsequent calls i will get the IP from the cookie, and validate that it is correct.
Can i trust the address, or is there a way that ServerVariables["REMOTE_ADDR"] returns e.g. 161.121.222.223 and the client is really somewhere else?
Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.
One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.
Taken from: Is it safe to trust $_SERVER['REMOTE_ADDR']?
Yes, it's reliable. It can't be modified by the client, except by simply connecting from another IP. (Proxy)
